b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Irving A. Williamson, Vice Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n\x0cOFFICE OF INSPECTOR GENERAL\n\n\n\n\n       UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                  WASHINGTON, DC 20436\n\n\n\nVIA ELECTRONIC TRANSMISSION\n\n\n\nJune 29, 2011                                                          OIG-JJ-008\n\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit of Account\nManagement OIG-AR-11-11. In finalizing the report, we analyzed management\xe2\x80\x99s\ncomments on our draft report and have included those comments in their entirety in\nAppendix A.\n\nThis report contains eight recommendations for corrective action. In the next 30 days,\nplease provide me with your management decisions describing the specific actions that you\nwill take to implement each recommendation.\n\nThank you for the courtesies extended to my staff during this audit.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                                U.S. International Trade Commission\n                                            Audit Report\n\n\n\nTable of Contents\nResults of Audit............................................................................................. 1\n\nAreas for Improvement ................................................................................ 2\n   Area for Improvement 1: Data owners should maintain permissions to restrict access to\n   data.................................................................................................................................. 2\n\n   Area for Improvement 2: Consistently configure network accounts for contractors...... 3\n\n   Area for Improvement 3: Reduce the number of authentication systems in use. ........... 4\n\nManagement Comments and Our Analysis ............................................... 5\n\nObjective, Scope, and Methodology ............................................................ 5\nAppendix A: Management Comments on Draft Report......................... A\n\n\n\n\n                                                                  -i-\n\x0c\x0c                     U.S. International Trade Commission\n                                 Audit Report\n\n\n                                 Results of Audit\nThe purpose of the audit was to answer the question:\n\n       Does the Commission effectively limit network access?\n\nYes, the Commission effectively limits network access.\n\nOrganizations control access to data by limiting network access, typically by requiring\nthe use of credentials that include something the user knows, such as a user name and a\npassword. Organizations with stronger authentication requirements also require\nsomething users physically possess, such as an authentication device or Personal Identity\nVerification (PIV) card. When this information is entered into a system, an\nauthentication system checks to see that an account with the user name exists, is enabled,\nand verifies the password. Once authenticated, the login process is allowed to continue,\nand the user receives access to the data they have been permitted to modify and view.\nPreventing access to the network by unauthorized users is the most important component\nof an account management program. The Commission prevented unauthorized access by:\n\n   1. Immediately disabling accounts when users are no longer authorized to access the\n      network;\n   2. Requiring the use of a hardware device, a PIN, an active user account and a strong\n      password to access the network externally; and\n   3. Requiring physical identification, an active user account and a password to access\n      the network internally.\n\nEnabled accounts allow access to the network. When users leave, these accounts should\nbe immediately disabled to prevent unauthorized access to the network. On January 13,\n2011, we performed an analysis of user accounts on the ITCNet domain, and found that\nno user accounts were improperly enabled. The Commission has done an effective job of\nremoving this important means of unauthorized network access.\n\nWhile the Commission effectively prevents unauthorized network access, we have\nidentified some areas where it can further improve its security controls concerning users\nthat are authorized to access the network. These areas include maintenance of\npermissions to better restrict access to data, improved consistency of contractor account\ndata, and consolidation of authentication systems.\n\n\n\n\nOIG-AR-11-11                                1\n\x0c                      U.S. International Trade Commission\n                                  Audit Report\n\n\n                             Areas for Improvement\n\n                           Area for Improvement 1:\n        Data owners should maintain permissions to restrict access to data.\n\n\nCommission staff and contractors access data using a variety of means, primarily through\nthe use of intranet sites and mapped network drives. Much of this data is grouped by\noffice, where staff in those offices work on data specific to that office. In many offices,\nsuch as Human Resources, Finance, and Investigations, the permissions granted are\nintended to make data accessible only to the staff of those offices.\n\nWe analyzed the permissions assigned to two users that had been recently reassigned to\nnew, permanent positions in the Commission. We found that their permissions reflected\nthe needs of their current positions, but also inappropriately provided them with office-\nspecific access required by their previous positions.\n\nBecause permissions are typically discovered using technical tools, the owners of data\nmay not know or control who retains access to their data. Over time, as employees are\nreassigned to other roles within the organization, their permissions need to be updated to\nreflect these new roles. If permissions are not kept up-to-date, they become a historical\nrecord of all users or accounts that ever had access to that data, instead of identifying who\ncurrently has access to the data. Our analysis of the Commission\xe2\x80\x99s shared files and\nfolders identified 260,545 variations in permissions for shared data, a large number, for\nan organization with less than 500 users. The Commission places the responsibility for\nmaintaining these permissions on the Chief Information Officer (CIO), but only the\nowners of data actually know who should have access.\n\nThe maintenance of correct permissions requires a concerted effort by the functions of\ncontracts, human resources, personnel security, and program offices to provide the CIO\nwith status updates as they relate to accounts and their access to data. For example, when\nan employee is detailed or reassigned, the new program office must notify the CIO that\nthe employee has new responsibilities which require new permissions, and the original\nprogram office must define the permissions no longer required. If this process is not\nimplemented, users will retain access to data that their jobs do not require, and the\nCommission\xe2\x80\x99s data will be subject to unnecessary risk.\n\nTo maintain correct permissions for access to Commission data, the CIO should\nperiodically provide clear reports to data owners detailing who has access to their data,\nand assist in the maintenance of these permissions.\n\nRecommendation 1:\n\nThat the Commission develop and implement a program to have the functions of\n\n\nOIG-AR-11-11                                 2\n\x0c                     U.S. International Trade Commission\n                                 Audit Report\n\ncontracts, human resources, personnel security, program, and other administrative offices\nnotify the CIO when employee or contractor assignment status changes require the\nenabling or disabling of permissions.\n\nRecommendation 2:\n\nThat the Commission identify the owner of all office and division-specific data.\n\nRecommendation 3:\n\nThat the CIO perform a one-time cleanup of file and folder permissions.\n\nRecommendation 4:\n\nThat the CIO provide a periodic listing of permissions to data owners.\n\nRecommendation 5:\n\nThat the data owners review permissions on a periodic basis to verify that all users with\naccess are authorized.\n\n\n\n                              Area for Improvement 2:\n              Consistently configure network accounts for contractors.\n\n\nThe Commission identifies contractor accounts through several means, such as including\n\xe2\x80\x9c(Contractor)\xe2\x80\x9d in the account description, and through membership in a special\n\xe2\x80\x9cContractors\xe2\x80\x9d group. It also sets an automatic expiration date for these accounts that is\ntied to the final day of the contract. These conditions allow contractor accounts to be\nquickly recognized and insures that access to the network does not extend beyond the\ncontract expiration date.\n\nWhile analyzing contractor accounts, we found:\n\n   x   Some members identified in the \xe2\x80\x9cContractors\xe2\x80\x9d group were in fact employees;\n   x   Contractors were not always identified in the account description or through\n       contractor group membership; and\n   x   Some contractor accounts were missing the expiration date associated with their\n       contract.\n\n\n\n\nOIG-AR-11-11                                 3\n\x0c                      U.S. International Trade Commission\n                                  Audit Report\n\nThe Commission has not consistently implemented its procedures to identify Contractor\naccounts. Because of this, it is difficult to identify Contractor accounts, increasing the\nrisk that these accounts might not be quickly disabled upon contract expiration.\n\nRecommendation 6:\n\nThat the CIO update all contractor accounts to consistently identify these accounts and\ntheir contract expiration dates.\n\n\n\n                             Area for Improvement 3:\n                Reduce the number of authentication systems in use.\n\n\nAuthentication systems make it possible to have one username and password to access\nmultiple systems, including workstations, fileservers, and email services. Centralized\nauthentication systems eliminate the need for users to remember and maintain multiple\naccounts and passwords, and reduce the labor required to manage user accounts.\n\nThe CIO has effectively limited the number of authentication systems for standard users\nof workstations and servers in the Active Directory domain; however, the CIO has not\nimplemented a centralized authentication system for many servers or network\ninfrastructure devices. Currently, each of these devices maintains its own authentication\ninfrastructure, resulting in redundant user accounts, passwords, and inefficient account\nmanagement.\n\nRecommendation 7:\n\nThat the CIO identify all authentication systems in use within the Commission.\n\nRecommendation 8:\n\nThat the CIO evaluate opportunities to reduce the number of authentication systems in\nuse.\n\n\n\n\nOIG-AR-11-11                                 4\n\x0c                     U.S. International Trade Commission\n                                 Audit Report\n\n\n              Management Comments and Our Analysis\n\nOn June 21, 2011, Chairman Deanna Tanner Okun provided management comments on\nthe draft audit report. The Chairman agreed with our assessment that the Commission is\neffectively limiting network access, and recognized that the Commission can further\nenhance its security by implementing the recommendations detailed in the three areas for\nimprovement. The Chairman\xe2\x80\x99s response is provided in its entirety as Appendix A.\n\n\n\n                    Objective, Scope, and Methodology\nObjective:\n\nDoes the Commission effectively limit network access?\n\nScope:\n\nOn January 13, 2011, we audited the enabled accounts on ITCNet. Operational staff\nprovided us with the account policies and listings of enabled accounts for a range of other\ninfrastructure devices including servers, RSA authentication, and permissions for domain\nusers of shared drives.\n\n\nMethodology:\n\n       a. Collect and analyze enabled accounts on the ITC domain.\n       b. Collect data for users of systems not authenticated by the ITC domain.\n       c. Analyze logs for secondary authentication systems (hardware tokens for\n          remote access).\n       d. Assess and attempt to quantify different authentication systems in use.\n       e. Analyze permissions for commonly used file shares.\n       f. Identify user permissions unrelated to current job functions.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-11                                 5\n\x0c         U.S. International Trade Commission\n                       Appendix\n\n\n\nAppendix A: Management Comments on Draft Report\n\n\n\n\n                         A\n\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'